elastic/elasticsearch
Security model
Trust boundaries, defaults, and the security primitives a developer working on Elasticsearch needs to internalize. For the implementation details of the security plugin see Security feature.
Trust boundaries
Three boundaries matter:
- Client → cluster — REST traffic. TLS-protected, authenticated, authorized.
- Node ↔ node — transport traffic. TLS-protected. Inter-node messages carry their own authentication context derived from the originating REST request (see "thread context").
- Cluster → external services — repositories, inference providers, OIDC IdPs, Kerberos, etc. Outbound TLS, credentials in the keystore.
A node can also call out to a remote cluster (CCS / CCR), which is treated as an external service with its own credentials.
Defaults
Since 8.0, security is on by default. First-start auto-configuration generates self-signed certificates and a random elastic user password. The dev :run task uses a relaxed configuration; production deployments must replace the self-signed cert with a real one before exposing the cluster.
To run without security in tests:
./gradlew :run -Dtests.es.xpack.security.enabled=falseAuthentication
Authentication runs as a chain of Realms. A request is authenticated when one realm produces a valid User. See the Security feature page for the full list of realms.
Once authenticated, the user identity travels in the ThreadContext (server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java) — a thread-local map of headers preserved across thread-pool transitions and over the wire. Every transport message carries the auth context of its originator.
Authorization
Every action goes through an AuthorizationService.authorize(...) call wired in via an ActionFilter. The action name (indices:data/read/search, cluster:admin/snapshot/create, etc.) is matched against the user's effective privileges:
- Cluster privileges: e.g.
monitor,manage,manage_security. - Indices privileges: a list of
(action_pattern, index_pattern, dls?, fls?). - Application privileges: arbitrary scopes scoped to a named application (used by Kibana).
DLS (document-level security) attaches a query filter; FLS (field-level security) strips fields.
Audit
AuditTrail records every authentication and authorization event, plus connection events and run-as. Output goes to a local log file or an audit index; configurable per event type and per user.
Secrets management
Secrets (passwords, certificate paths, API tokens for repositories and inference) live in the keystore (config/elasticsearch.keystore), an encrypted JCA keystore. Code reads them via SecureSetting:
public static final Setting<SecureString> ACCESS_KEY = SecureSetting.secureString("s3.client.default.access_key", null);The keystore is reloadable: POST /_nodes/reload_secure_settings triggers a reload across the cluster.
Operator privileges
A small set of cluster-management actions are reserved for explicitly-named "operator" users — used by Elastic Cloud to keep certain controls (license install, cluster shutdown) out of customer hands. See x-pack/plugin/security/.../operator/.
API keys
API keys are first-class authentication tokens with their own privilege envelope. A user can create a key that is more restricted than they are, useful for embedding in external services.
TLS configuration
libs/ssl-config/ is the project's unified TLS configuration parser. Used by:
- HTTP server (
xpack.security.http.ssl.*). - Transport server (
xpack.security.transport.ssl.*). - Outbound clients (S3, Azure, GCS, HTTP repository, inference, monitoring).
Hot-reload of TLS materials is supported via _nodes/reload_secure_settings.
FIPS
The elasticsearch.fips Gradle plugin produces FIPS-compliant distributions: BC FIPS provider, no SHA-1 in TLS, hardened password hashing (PBKDF2), and a smaller set of TLS cipher suites.
Things that are not Elasticsearch's responsibility
- Network segmentation. The cluster does not enforce L3/L4 firewalls; deploy behind your own perimeter.
- Disk encryption at rest. Use OS-level disk encryption.
- Backup encryption. Snapshots are not natively encrypted; enable repository-level encryption (e.g. SSE-S3) at the storage layer.
Where to find security touch points
x-pack/plugin/security/— the implementation.x-pack/plugin/core/.../security/authz/privilege/— privilege catalog.x-pack/plugin/security/.../operator/— operator privileges.libs/ssl-config/— TLS parsing.libs/entitlement/— per-plugin JDK call gating.server/src/main/java/org/elasticsearch/common/util/concurrent/ThreadContext.java— security context propagation.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.